[<prev] [next>] [day] [month] [year] [list]
Message-Id: <3E15FAA4-9561-4DC6-A164-83DD80AAF408@bogner.sh>
Date: Mon, 10 Jul 2017 22:31:24 +0200
From: Florian Bogner <florian@...ner.sh>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2017-4918: Code Injection in VMware Horizon’s macOS Client
CVE-2017-4918: Code Injection in VMware Horizon’s macOS Client
Metadata
===================================================
Release Date: 10-July-2017
Author: Florian Bogner // https://bogner.sh
Affected product: VMware Horizon‘s macOS Client
Fixed in: Version 4.5
Tested on: OS X El Capitan 10.11.6
CVE: CVE-2017-4918
URL: https://bogner.sh/2017/07/cve-2017-4918-code-injection-in-vmware-horizons-macos-client/
Vulnerability Status: Fixed
Product Description
===================================================
VMware Horizon 7 is the leading platform for virtual desktops and applications.
Provide end users access to all of their virtual desktops, applications, and online services through a single digital workspace.
Vulnerability Description
===================================================
An issue within a shell script of VMware Horizon's macOS client could be abused to load arbitrary kernel extensions. In detail, this was possible because a user modifiable environment variable was used to build the command line for a highly privileged command.
Further technical details can be found on my blog: https://bogner.sh/2017/07/cve-2017-4918-code-injection-in-vmware-horizons-macos-client/
Suggested Solution
===================================================
Update to the latest version (fixed in 4.5)
Disclosure Timeline
===================================================
21-04-2017: The issues has been documented and reported
24-04-2017: VMware started investigating
06-06-2017: Fix ready
08-06-2017: Updated Horizon version 4.5 alongside security advisory VMSA-2017-0011 released
Florian Bogner
eMail: florian@...ner.sh
Web: http://www.bogner.sh
LinkedIn: https://www.linkedin.com/profile/view?id=368904276
Xing: https://www.xing.com/profile/Florian_Bogner9
Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists